MC IPsec overview

Overview

MC IPsec provides a stateful failover mechanism for IPsec tunnels between NEs in an active and standby configuration. Stateful failover allows IPsec traffic to continue to be forwarded without interruption if a failure occurs. MC IPsec provides protection for NE or MS-ISA failure. If an active NE fails, the IPsec tunnels failover to the standby peer without needing to re-establish the session. The failover mechanism can occur at the tunnel group level. A tunnel group can failover to the standby NE, independently of other tunnel groups on the active NE.

A mastership protocol is used to elect the active NE peer. The NFM-P synchronizes IPsec configuration states between the active and standby peers so that existing tunnels do not need to be re-established when a switchover occurs. The IPsec traffic is sent to the active NE peer using an IPsec route policy that exports IPsec routes to the routing protocol. The route metric is then changed according to the changes in active and standby roles.

You can view the role of a peer in an MC IPsec tunnel group by verifying the Master State indicator on the MC IPsec Group configuration form. The states are:

You can view the details of the last switchover on the MC IPsec Tunnel Group (Edit) form for a peer that is part of the group. Review the values of the following parameters provided on the States panel:

MC IPsec only supports IKEv2 static LAN-to-LAN tunnel. MC IPsec is supported only on the 7450 ESS-4, 7450 ESS-6, 7450 ESS-6v, 7450 ESS-7, and 7450 ESS-12 in mixed mode and in chassis mode D, and on the 7750 SR-7, 7750 SR-12, 7750 SR-c12 and 7750 SR-12E in chassis mode D.

Note: The MC IPsec peers must be of the same device type. For example, the NEs in an MC peer group must each be 7750 SR or 7450 ESS.

You can use the NFM-P to create MC IPsec non-forwarding events on VRRP policies to track the MEP state of MC IPsec-based static routes. See To configure a VRRP priority-control policy for more information.

IPsec VPN does not support redundancy.